*** swann_ has joined #openstack-climate | 00:47 | |
*** SergeyLukjanov2 has joined #openstack-climate | 00:55 | |
*** SergeyLukjanov has quit IRC | 00:55 | |
*** swann has quit IRC | 00:55 | |
*** SergeyLukjanov2 is now known as SergeyLukjanov | 00:55 | |
*** openstackgerrit has quit IRC | 01:18 | |
*** openstackgerrit has joined #openstack-climate | 01:18 | |
*** DinaBelova_ is now known as DinaBelova | 05:43 | |
*** saju_m has joined #openstack-climate | 06:36 | |
*** DinaBelova is now known as DinaBelova_ | 07:58 | |
*** bauzas has joined #openstack-climate | 08:18 | |
*** saju_m has quit IRC | 08:31 | |
*** saju_m has joined #openstack-climate | 09:01 | |
*** DinaBelova_ is now known as DinaBelova | 09:01 | |
*** saju_m has quit IRC | 09:02 | |
*** saju_m has joined #openstack-climate | 09:21 | |
*** chandan_kumar has joined #openstack-climate | 09:25 | |
*** chandan_kumar has quit IRC | 09:51 | |
*** chandan_kumar has joined #openstack-climate | 10:05 | |
bauzas | DinaBelova: hi | 10:18 |
---|---|---|
bauzas | DinaBelova: about how we should verify if user has enough rights for showing the result | 10:19 |
DinaBelova | yes? | 10:19 |
bauzas | DinaBelova: that's something looping into my mind for a certain amount of time :D | 10:19 |
bauzas | DinaBelova: there are pros and cons | 10:20 |
bauzas | DinaBelova: as we don't have conductors, the only correct way for placing a call to DB is to pass thru the manager | 10:20 |
bauzas | DinaBelova: but we enforce context validation at the API level | 10:20 |
bauzas | DinaBelova: the thing is, should we say that we should place a second call to the Manager for each call, just for verifying if user has rights ? | 10:21 |
bauzas | DinaBelova: that's a penalty thing | 10:21 |
DinaBelova | bauzas, I may even tell you | 10:22 |
DinaBelova | that now we have 2 requests to manager while updating for example | 10:22 |
bauzas | DinaBelova: well you're right | 10:23 |
bauzas | DinaBelova: but I was more likely thinking of a post-check | 10:23 |
DinaBelova | but that's not too much - speaking about the fact we're using RPC only to have possibility take resource by name | 10:23 |
DinaBelova | not by id | 10:23 |
DinaBelova | there are lots of calls | 10:23 |
bauzas | DinaBelova: the idea is to loosely leave going thru the Manager for placing the call, and then only at the response time, check that the object matches the creds | 10:23 |
YorikSar | bauzas: Hello | 10:24 |
bauzas | YorikSar: hi | 10:24 |
DinaBelova | bauzas, am I right that you propose to have smth like - user wants to update lease -> manager updates lease -> user has no rights -> it should be some kind of transaction to go back? | 10:25 |
DinaBelova | and i'm not about tenants | 10:25 |
DinaBelova | but also about admin rules | 10:25 |
DinaBelova | any other rules | 10:25 |
DinaBelova | etc. | 10:25 |
bauzas | DinaBelova: mmm, you're right | 10:27 |
bauzas | DinaBelova: at the moment, the check is done on the DB side | 10:27 |
YorikSar | bauzas: I see about 3 ways for handling that "target" field. We can do as Dina suggested (and as it is done in Keystone); we can pass all necessary information for authorization to DB and let it filter out elements that user don't have access to; we can complete task and verify if we could do it afterwards judging by return value. | 10:27 |
YorikSar | bauzas: The third one is how I understood your "post-check" proposal. Is it right? | 10:28 |
bauzas | YorikSar: that's the 3 options I thought about, yes | 10:28 |
*** chandan_kumar has quit IRC | 10:28 | |
bauzas | YorikSar: the main thing is that option #3 is only working for GET | 10:28 |
bauzas | so, that needs to be mixed with option #2 for PUT/POST | 10:28 |
bauzas | YorikSar: DinaBelova: well, is it OK if you leave me thinking about your option #1 proposal this week-end ? | 10:29 |
YorikSar | The problem with the second one is that we can't translate everything we have configured in policy.json to DB layer. | 10:30 |
YorikSar | The 3rd option works only for GET, right... But it works only for getting single objects as for lists we have significant disadvantage in transfering e.g. list of all leases back and forth without knowing if user even have access to this list. | 10:31 |
DinaBelova | bauzas, offtopic - do you have some kind of bio for Swann? I'm writing incubation proposal and I need info about all core contributors :) | 10:31 |
bauzas | ask him directly ^^ | 10:32 |
bauzas | swann_: ping | 10:32 |
DinaBelova | I asked :D | 10:32 |
DinaBelova | he's not answering :) | 10:32 |
bauzas | DinaBelova: well, I'm just asking him directly :) | 10:32 |
bauzas | privilege of sharing desktops :) | 10:32 |
DinaBelova | фтв ерфеэы еру куфыщт ш фыл нщг Ж) | 10:32 |
DinaBelova | wowowow | 10:32 |
swann_ | hey, what do you want to know about me :D ? | 10:33 |
bauzas | DinaBelova: you're right :D :D :D | 10:33 |
YorikSar | bauzas: Another issue with filtering in DB is that we cannot distinguish between missing elements and elements user don't have access to. | 10:33 |
bauzas | YorikSar: yup, got your view | 10:33 |
YorikSar | bauzas: We can actually push all information needed for auth to Manager so that we won't have extra RPC round-trip... But what's the purpose for API level then? | 10:35 |
YorikSar | bauzas: I actually suggest postponing optimizing GET requests because we should have fully-functional policy checking and then optimize for performance, not vice versa. | 10:38 |
YorikSar | bauzas: Just giving your more things to think about over the weekend :) | 10:39 |
bauzas | YorikSar: that's great | 10:40 |
bauzas | food for thoughts | 10:40 |
*** bauzas has quit IRC | 10:53 | |
Nikolay_St | hi all | 11:02 |
Nikolay_St | guys, does anyone use latest climate master in environment? | 11:02 |
Nikolay_St | my vm's doesn't start :( | 11:02 |
*** DinaBelova is now known as DinaBelova_ | 11:03 | |
*** bauzas has joined #openstack-climate | 11:19 | |
*** DinaBelova_ is now known as DinaBelova | 11:20 | |
openstackgerrit | Nikolay Starodubtsev proposed a change to stackforge/python-climateclient: Add test coverage for base client modules https://review.openstack.org/73574 | 11:38 |
*** Nikolay_St has quit IRC | 11:40 | |
openstackgerrit | A change was merged to stackforge/climate: Remove explicit access to is_admin in context https://review.openstack.org/72742 | 11:46 |
openstackgerrit | A change was merged to stackforge/climate: Remove direct assignments of context attributes https://review.openstack.org/72673 | 11:46 |
*** bauzas has quit IRC | 13:03 | |
*** casanch1 has joined #openstack-climate | 13:14 | |
*** bauzas has joined #openstack-climate | 13:25 | |
*** saju_m has quit IRC | 14:10 | |
*** Nikolay_St has joined #openstack-climate | 14:43 | |
*** chmartinez has joined #openstack-climate | 14:47 | |
DinaBelova | bauzas, casanch1, chmartinez, f_rossigneux, Nikolay_St, SergeyLukjanov, swann_ - meeting in 10 mins :) | 14:50 |
bauzas | bauzas: I'm herer ! | 14:50 |
bauzas | :D | 14:50 |
DinaBelova | as usual on #openstack-meeting :) | 14:50 |
DinaBelova | bauzas, wow :) | 14:51 |
DinaBelova | cool :) | 14:51 |
DinaBelova | I remember you promised :) | 14:51 |
*** chmartinez_ has joined #openstack-climate | 14:52 | |
bauzas | DinaBelova: ^ ^ | 14:52 |
openstackgerrit | Swann Croiset proposed a change to stackforge/climate: Reworking configuration options https://review.openstack.org/71243 | 14:53 |
SergeyLukjanov | I'm partially here | 14:53 |
*** chmartinez has quit IRC | 14:53 | |
chmartinez_ | I'm here | 14:54 |
casanch1 | :) | 14:55 |
DinaBelova | o/, cool :) | 14:56 |
bauzas | tic tac | 15:01 |
Nikolay_St | DinaBelova:it's time | 15:01 |
*** ddyachkov has joined #openstack-climate | 15:02 | |
*** Nikolay_1t has joined #openstack-climate | 15:09 | |
*** Nikolay_St has quit IRC | 15:09 | |
*** casanch1 has quit IRC | 15:13 | |
*** Nikolay_1t has quit IRC | 15:50 | |
*** casanch1 has joined #openstack-climate | 15:58 | |
*** ddyachkov has quit IRC | 15:59 | |
*** bauzas has quit IRC | 16:05 | |
swann_ | casanch1: FYI .. need to rebase on master (with minor confict) your patch https://review.openstack.org/#/c/73363/2 | 16:07 |
*** DinaBelova is now known as DinaBelova_ | 16:11 | |
*** DinaBelova_ is now known as DinaBelova | 16:22 | |
*** DinaBelova is now known as DinaBelova_ | 16:40 | |
casanch1 | swann_: ok,will do | 17:13 |
*** DinaBelova_ is now known as DinaBelova | 17:19 | |
openstackgerrit | Cristian A Sanchez proposed a change to stackforge/climate: Update openstack.common with latest oslo-incubator https://review.openstack.org/73363 | 17:28 |
casanch1 | swann_: done | 17:29 |
casanch1 | swann_: thanks for catching that | 17:30 |
*** YorikSar has quit IRC | 18:00 | |
*** casanch1_ has joined #openstack-climate | 18:04 | |
*** casanch1 has quit IRC | 18:05 | |
*** casanch1_ is now known as casanch1 | 18:07 | |
*** casanch1 has quit IRC | 18:11 | |
*** YorikSar has joined #openstack-climate | 18:38 | |
*** casanch1 has joined #openstack-climate | 19:01 | |
*** YorikSar has quit IRC | 20:27 | |
*** YorikSar has joined #openstack-climate | 20:48 | |
*** chmartinez_ has quit IRC | 20:49 | |
*** casanch1 has quit IRC | 21:24 | |
*** DinaBelova is now known as DinaBelova_ | 21:48 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!